Messaging security uses a simple role model in which a
role contains the authorization permission required to perform a given
operation. If messaging security is switched on, you must give any
users who connect to a bus permission to carry out the operations
that they need to perform. You do this by assigning them to the appropriate
role or roles.
Note: A user is the entity that performs an operation
such as initiating the sending of a message to a destination.
Roles
When you assign a user to a role,
this grants the user all of the permissions that the role contains.
Users can belong to groups, which are defined in the user registry,
and you can also assign a group to a role. In this case, all the users
who are members of the group are authorized to carry out the operations
for which this role contains permissions. There are two special
groups of users:
- AllAuthenticated, which contains all authenticated users. If the
AllAuthenticated group is authorized to perform an operation, then
all authenticated users are authorized to perform it. When a bus is
created, an initial set of authorization permissions is created that
allows all users in the AllAuthenticated group access to the bus and to all local destinations.
You can change these permissions to restrict access to the specific
users and groups that you want to connect to the bus.
- Everyone, which contains all users whether or not they are authenticated.
You can assign a user or group to the following types of roles:
- Connector, which contains permission to connect
to the local bus.
- Sender, which contains permission to send (produce)
a message to the destination.
- Receiver, which contains permission to receive
(consume) a message from the destination.
- Browser, which contains permission to browse
messages on the destination.
- Creator, which contains permission to create
a temporary destination based on this temporary destination prefix.
This role only applies to prefix destinations; see Destinations below.
- IdentityAdopter, which contains permission
to send a message using a different user identity. This cannot be
used from JMS.
Operations requiring authorization
When
messaging security is switched on, all operations on the following
objects require authorization:
- Buses
- When a user connects to a local bus, before the user is allowed
to perform any further operations, a check is made that this user
has permission to connect to this bus. If a user connected to a local
bus wants to send a message to a destination in a foreign bus, the
user must also be authorized to access the foreign bus.
- Destinations
- Users require authorization to send, receive, or browse all types
of destination. Users who create a temporary destination need
to be granted create permission on the destination prefix on which
the temporary destination is based. The authorization permissions
of a temporary destination are the same as those of the destination
prefix on which it is based. The name of this special destination
prefix appears as a prefix in the temporary destination name.
- Topic spaces and topics
- To access a topic within a topic space, a user must be authorized
to access both the topic space, and the specific topics within this
topic space. To make topic authorizations easier to manage, a topic
by default inherits authorization permissions from its parent in the
topic namespace. However, you can change these inherited permissions
for any given topic, or you can turn this level of authorization off
altogether for a topic space, in which case a check is made that the
user is authorized to access the topic space, but no further checks
are made at the topic level.
Default authorization permissions
The
default authorization permissions provide you with a way of quickly
granting access to all local destinations. When a bus is created,
the default permissions are given initial values which grant all authenticated
users access to all local destinations. If you are using mediations,
you may want to use the default permissions to grant the mediations
user default access to all local destinations.
The default permissions
apply to all destinations in a local bus namespace. The default permissions
are added to any specific permissions that you define for an individual
local destination. You can, if required, turn off the inheritance
of the default permissions for an individual destination, in which
case only the specific permissions that you create for this destination
are used for authorization checking.
For topic spaces, the default
permissions are used for checking a user's authorization to access
the topic space itself, and the virtual root of the topic space.
For
alias destinations, the default permissions are added to the specific
permissions for an individual alias destination, if the alias name
(that is, the name of the alias itself, not the target destination
name of the alias) is in the local bus namespace. If the alias destination
is in the namespace of another bus, the default permissions do not
apply.